Tom Ivar Helbekkmo via NANOG <nanog@lists.nanog.org> writes:
SPF broke forwarding, both for individual recipients, and through email distribution lists, because the forwarding server wasn't on the list.
This is not entirely precise. It broke traditional alias forwarding, where the forwarding server would reuse the original envelope sender. But SPF does not break forwarding as long as the forwarding server use its own proxy envelope sender. Mailing lists have traditionally "always" done this, even before SPF. Remember the "owner-" aliases?
If the domain in the "From:" header matches the domain where the public key is stored, the recipient knows that the email was DKIM signed by a mail server trusted by the sending domain (since it must have the private key). It can, therefore, assume that the email really is from the "From:" address, and has not been modified along the way.
Yes, so this also works through a forwarding mail server, provided it only changes the envelope. Older mailing list software broke because it messed around with the message content, but that was completely unnecessary. And good to get rid of. Injecting some additional mailing list headers is still fine, and will not break DKIM.
DMARC, finally, ties these things together. It lets you publish, once again using DNS, a few policy options for the handling of SPF and DKIM, for what you want done with the email, and for reporting back to you what was done, and why. DMARC requires either SPF or DKIM to pass, and you can choose whether you want the recipient system to quarantine or simply refuse email that fails to pass at least one of them.
The big problem with DMARC is that it ties SPF to the From header field, so changing the envelope sender will not work anymore. This forces the forwarder to mess with the From field to align it with a SPF valid envelope. Which again will break any existing DKIM signature. Which of course can be worked around by adding another DKIM signature. DMARC is broken by design. SPF and DKIM worked fine alone. Bjørn